Dear Cloudflare, Ethics in technology demands more than a silent stance.
Greetings folks,
I’ve been well occupied lately, having organized a flurry of technology projects in order to tie up loose ends in preparations to return for my fall semester at college. Having recently recovered from an injury, I have no shortage of upcoming writing topics. With that I say to you, strap in and get ready for another few seasons of technology blogs covering my various efforts and observations.
Today’s blog will be inspired by some recent grievances with internet networking based company Cloudflare. Some are my own with their handled website security certificate renewal policy, and some will be from the public eye in light of the recent controversy around unscrupulous web hosting. I hope to show you as the reader some insight as to how patience in adopting the newest technologies would help similar network based companies operate and why Cloudflare, despite its best features and decades of presence, continues to face an uphill battle in this area.
Cloudflare is an internet service company. Their line of business can be compared to their competitors such as Akamai, except seen at a consumer facing level. Cloudflare services cover demand for most internet networking. For smaller users such as myself who need web hosting and a way to keep their server’s IP address anonymous, Cloudflare offers an IP to DNS proxy service and DNS to consumers through their own endpoint of 1.1.1.1. [1] For enterprise users, they offer these tools alongside service level agreements and support technicians to account for compliance and uptime demands. [2] They are early adopters of the newest and brightest technologies on the web such as HTTP’s H3 QUIC protocol and they continue to look for new innovations to deliver speed and value to customers. [3] Their rapid push for innovation however leads them to sometimes making impulsive decisions which affect their customers over long term periods. I found myself trying to troubleshoot through one of these issues dealing with my website’s SSL certificate.
Cloudflare supports uses many SSL providers to let website owners deliver content over the web securely. One such provider is LetsEncrypt. LetsEncrypt uses SSL certificates that expire and renew at a 3 month interval. These typically operate through Cloudflare’s proxy unless a user plugs their own into the “full tunneling” proxy method through a dashboard interface. With my website’s LetsEncrypt certificate expiring a day ago, an issue was caused with endpoint browsers to display standard error of ”SSL Conflict” to users. This means that while one certificate on the server might be valid, the proxy server doesn’t have access to seeing this area and thus cannot deliver the website.
The normal fix for this would be to re-register the service with my main host, in this case Hostinger, allowing an auto renewing ZeroSSL certificate to process, and then transferring ownership back to Cloudflare when the cert renews. This resolution did not work in this case, and Cloudflare continued to hold the LetsEncrypt certificate running on their proxy. After a few hours of troubleshooting with Hostinger, we determined the issue was indeed Cloudflare proxy based and not with Hostinger’s certificate.
The resolution to this issue involved using a curl script to renew the cert through their public API. [4] The request was easy enough but left me head scratching as to why this was not available through the dashboard itself. At the time of writing, Cloudflare does not provide a button to renew expired certs on their front end, or to change the authority to a different company. One can argue that having this choice is one area where consumers would gain the ability to exercise their rights to choose a preferred provider.
LetsEncrypt had come under public scrutiny over their business decisions and sheer volume of SSL certs issued to potentially problematic customers. [5] This issue dates back to 2020 and is well documented. The end of a root certificate would cause similar issues to what happened with my own site. As my website was started at around April 2020, I had dodged this issue, but found a similar one come up as the 30 days to expiry renewal did not overturn with Cloudflare’s service in place to renew these certificates.
Cloudflare happened to have switched over to ZeroSSL around the same time. This was because the provider they use, acme.sh; a public tool for certificate renewal, changed their default from LetsEncrypt. The decision had not fallen on Cloudflare to make the changes, rather relying on another vendor to act and respond according to demand and need. [6] Taking a neutral stance in this area opens the door to notable ethical issues which technology companies wrestle with such as control over user privacy and responsibility over hosting other user’s content over the web.
Cloudflare had recently adopted many of the new and focused fintech topics such as blockchain through a new Web3 management interface. [7] This platform came with a set of moral objections, facing public scrutiny from both luddites and valid concern on projects such as NFT’s which have been cited as a threat to artist ownership, livelihood, and a forced new cost to protecting their works. Only recently have government reporters taken notice of these trends and technologies and noting cases of this type of fraud.
“Scammers have previously duped… verification process and impersonated famous artists.” — Congressional Research Service report on Non Fungible Tokens (NFTs)[8]
Due to their speed of adoption, Cloudflare has always been seen as a neutral player in the internet service and networking landscape for over a decade. This has led to some recent and unfortunate news as the internet has taken notice of rather heated topics around hate speech.
Technology and ethics of company operations go hand in hand in defending the public not only from minor tech inconveniences, but from major moral shifts into extreme ideologies. I will not cover here what types of discussion takes place on sites such, but I will note the most recent example is listed by name in many articles posted from the Anti-Defamation League. [9] Many twitter users have recently taken notice of this fact and have started spreading information that Cloudflare is the web host for one such hate speech site. Major industry experts such as former Microsoft security analyst Kevin Beaumont have taken the public eye to bring attention to this controversy. [10]
The concept of Bulletproof hosting has been around for a number of years and can be compared to this area of user service provisioning. Major outlets for botnets, malware and illicit websites turn to these resources as a safe haven, either geographically or as a “set up and tear down” operation method for cyber threats. [11]
For Cloudflare to not take an active stance against reducing the interference these harmful websites cause is, in the writer’s opinion, as disgraceful as their neutral stance has been over the past decade. Cloudflare has yet to make a response at the time of writing. Considering their track record on ethics issues, Cloudflare will likely continue to remain silent on the matter.
Unfortunately, the most recent movement will not get the attention it deserves in order to make a positive impact, and for that reason users should think carefully about choosing Cloudflare as their hosting provider. I would encourage users in need of hosting services to look at alternative providers with a legal and ethical track record under their belt.
In conclusion, reckless adoption of technologies continues to have consequences in IT and in turn affects the rest of us. For all user facing services provided, companies owe it to their users to take a hands on approach to prevent real world harm from emerging from disruptive tech. Cybersecurity stems well outside of the realm of the internet as it affects users in any geography both monetarily and mentally, and education is key to keeping up with these threats.
Thanks for reading, be back next week with more on my digital ocean servers in progress.
Stay Safe.
Works cited:
[1] https://1.1.1.1/
[2] https://www.cloudflare.com/plans/enterprise/
[3] https://www.cloudflare.com/learning/performance/what-is-http3/
[7] https://blog.cloudflare.com/tag/nft/
[8] https://crsreports.congress.gov/product/pdf/R/R47189 Page 13
[10] https://twitter.com/GossiTheDog/status/1562087531587452928
[11] https://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html
